Found: under data protection legislation (including the UK General Data Protection Regulation and the Data Protection Act

Found: adequate and effective safeguards against abuse and arbitrariness.112 Further, section 37 of the Data Protection Act

Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what steps he has taken to ensure that NHS data handled by Palantir Technologies cannot be accessed or processed by non-UK government entities.

Answered by Karin Smyth - Minister of State (Department of Health and Social Care)

The NHS Federated Data Platform (FDP) has been designed with stringent safeguards to ensure that patient data is protected in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Access to National Health Service health and social care data within the FDP is tightly controlled. Only authorised users are granted access, and solely for approved purposes that demonstrably benefit patient care or NHS operations. Palantir Technologies, as the software provider, operates strictly under the instruction of NHS England. They do not control the data, nor are they permitted to access, use, or share it for any independent purpose. To further strengthen data protection, the FDP incorporates advanced Privacy Enhancing Technology (NHS-PET), which has been procured from a separate supplier to ensure independence and to mitigate any potential conflicts of interest. This technology ensures that data is processed in a secure and privacy-preserving manner. The contract with Palantir Technologies includes robust confidentiality clauses and is governed by a comprehensive oversight framework. This framework includes regular audits, monitoring, and reporting to ensure compliance with legal and ethical standards. Data Protection Impact Assessments have been conducted to assess and mitigate any risks to individual rights and freedoms.

It is a contractual requirement that personal data stored in the FDP and NHS-PET cannot be accessed by its provider’s personnel or contractors based outside the United Kingdom. In accordance with GDPR principles of transparency and accountability, NHS England has published details which outline how data is protected, who can access it, and under what conditions. Further information is available at the following link:

https://www.england.nhs.uk/long-read/overarching-data-protection-impact-assessment-dpia-for-the-federated-data-platform-fdp/#18-in-which-country-territory-will-personal-data-be-stored-or-processed

These measures collectively ensure that NHS data remains under UK jurisdiction and all processing of patient information will be within the UK only. This is a contractual requirement, and one of the key principles of the FDP Information Governance Framework. Data cannot be accessed or processed by non-UK government entities.

Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what assessment he has made of the security implications of awarding NHS data management contracts to (a) Palantir Technologies Inc. and (b) other companies with significant overseas (i) defence and (ii) intelligence clients.

Answered by Karin Smyth - Minister of State (Department of Health and Social Care)

In awarding the contract for the NHS Federated Data Platform (FDP), NHS England made an assessment of the cyber risk and the protections offered by each bidder. The FDP has extensive security arrangements in place to manage cyber risk, including:

• strong network security, such as firewalls and intrusion detection systems to monitor all network traffic to and from the platform, which helps to block unauthorised access and detect suspicious activity;
• data encryption, as all data stored on the platform is encrypted, both when it’s being transferred, or in transit, and when it’s at rest, or stored on servers; and
• regular security testing, as the platform undergoes regular penetration testing and vulnerability scanning to identify and fix any weaknesses in its security.

It is a contractual requirement that personal data stored in the FDP and its associated services (FDP-AS), including the NHS-Privacy Enhancing Technology, cannot be accessed by the provider’s own personnel or contractors from outside the United Kingdom. The FDP-AS contract stipulates that all data must be held within the UK and is subject to UK Data Protection Law, including the UK General Data Protection Regulation.

All FDP data processes and systems need to comply with the Technology Code of Practice, Government Data Standards, the Department’s Guide to good practice for digital and data-driven health technologies, the Data Protection Act 2018, and the UK General Data Protection Regulation, the Information Commissioner's Office’s guidance, and associated regulations, standards, and guidance.

The contract was awarded in conformance with public sector procurement law, as required. The National Health Service ran an independent procurement exercise. The choice of preferred supplier was not made by a single person, as it was the result of assessment by many different individuals. NHS England has a duty to treat all suppliers the same regardless of the public perception of any organisation, or the opinions held by any of their shareholders.

NHS England cannot exclude any supplier that is lawfully established and able to bid from participating in the procurement. The procurement process received external validation from multiple Government departments, as well as independent evaluations by Infrastructure and Projects Authority reviewers. There were no identified security concerns in relation to the contract awarded for the NHS FDP.

The Procurement Act 2023 has introduced new powers to exclude and debar suppliers from public sector contracts if they pose a national security risk. Cabinet Office has established the new National Security Unit for Procurement, which is responsible for investigating suppliers on national security grounds, both within the Government supply chain and for the wider public sector.

Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, what due diligence steps his Department takes to assess national security risks before awarding public health data contracts to firms with links to (a) foreign intelligence or (b) military operations.

Answered by Karin Smyth - Minister of State (Department of Health and Social Care)

In awarding the contract for the NHS Federated Data Platform (FDP), NHS England made an assessment of the cyber risk and the protections offered by each bidder. The FDP has extensive security arrangements in place to manage cyber risk, including:

• strong network security, such as firewalls and intrusion detection systems to monitor all network traffic to and from the platform, which helps to block unauthorised access and detect suspicious activity;
• data encryption, as all data stored on the platform is encrypted, both when it’s being transferred, or in transit, and when it’s at rest, or stored on servers; and
• regular security testing, as the platform undergoes regular penetration testing and vulnerability scanning to identify and fix any weaknesses in its security.

It is a contractual requirement that personal data stored in the FDP and its associated services (FDP-AS), including the NHS-Privacy Enhancing Technology, cannot be accessed by the provider’s own personnel or contractors from outside the United Kingdom. The FDP-AS contract stipulates that all data must be held within the UK and is subject to UK Data Protection Law, including the UK General Data Protection Regulation.

All FDP data processes and systems need to comply with the Technology Code of Practice, Government Data Standards, the Department’s Guide to good practice for digital and data-driven health technologies, the Data Protection Act 2018, and the UK General Data Protection Regulation, the Information Commissioner's Office’s guidance, and associated regulations, standards, and guidance.

The contract was awarded in conformance with public sector procurement law, as required. The National Health Service ran an independent procurement exercise. The choice of preferred supplier was not made by a single person, as it was the result of assessment by many different individuals. NHS England has a duty to treat all suppliers the same regardless of the public perception of any organisation, or the opinions held by any of their shareholders.

NHS England cannot exclude any supplier that is lawfully established and able to bid from participating in the procurement. The procurement process received external validation from multiple Government departments, as well as independent evaluations by Infrastructure and Projects Authority reviewers. There were no identified security concerns in relation to the contract awarded for the NHS FDP.

The Procurement Act 2023 has introduced new powers to exclude and debar suppliers from public sector contracts if they pose a national security risk. Cabinet Office has established the new National Security Unit for Procurement, which is responsible for investigating suppliers on national security grounds, both within the Government supply chain and for the wider public sector.

Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, whether contracts awarded to Palantir Technologies Inc. for NHS data infrastructure permit cross-border data sharing without UK regulatory approval.

Answered by Karin Smyth - Minister of State (Department of Health and Social Care)

In awarding the contract for the NHS Federated Data Platform (FDP), NHS England made an assessment of the cyber risk and the protections offered by each bidder. The FDP has extensive security arrangements in place to manage cyber risk, including:

• strong network security, such as firewalls and intrusion detection systems to monitor all network traffic to and from the platform, which helps to block unauthorised access and detect suspicious activity;
• data encryption, as all data stored on the platform is encrypted, both when it’s being transferred, or in transit, and when it’s at rest, or stored on servers; and
• regular security testing, as the platform undergoes regular penetration testing and vulnerability scanning to identify and fix any weaknesses in its security.

It is a contractual requirement that personal data stored in the FDP and its associated services (FDP-AS), including the NHS-Privacy Enhancing Technology, cannot be accessed by the provider’s own personnel or contractors from outside the United Kingdom. The FDP-AS contract stipulates that all data must be held within the UK and is subject to UK Data Protection Law, including the UK General Data Protection Regulation.

All FDP data processes and systems need to comply with the Technology Code of Practice, Government Data Standards, the Department’s Guide to good practice for digital and data-driven health technologies, the Data Protection Act 2018, and the UK General Data Protection Regulation, the Information Commissioner's Office’s guidance, and associated regulations, standards, and guidance.

The contract was awarded in conformance with public sector procurement law, as required. The National Health Service ran an independent procurement exercise. The choice of preferred supplier was not made by a single person, as it was the result of assessment by many different individuals. NHS England has a duty to treat all suppliers the same regardless of the public perception of any organisation, or the opinions held by any of their shareholders.

NHS England cannot exclude any supplier that is lawfully established and able to bid from participating in the procurement. The procurement process received external validation from multiple Government departments, as well as independent evaluations by Infrastructure and Projects Authority reviewers. There were no identified security concerns in relation to the contract awarded for the NHS FDP.

The Procurement Act 2023 has introduced new powers to exclude and debar suppliers from public sector contracts if they pose a national security risk. Cabinet Office has established the new National Security Unit for Procurement, which is responsible for investigating suppliers on national security grounds, both within the Government supply chain and for the wider public sector.

Question to the Department of Health and Social Care:

To ask the Secretary of State for Health and Social Care, whether his Department has made a cyber risk assessment of the use of Palantir’s software in centralised NHS data platforms.

Answered by Karin Smyth - Minister of State (Department of Health and Social Care)

In awarding the contract for the NHS Federated Data Platform (FDP), NHS England made an assessment of the cyber risk and the protections offered by each bidder. The FDP has extensive security arrangements in place to manage cyber risk, including:

• strong network security, such as firewalls and intrusion detection systems to monitor all network traffic to and from the platform, which helps to block unauthorised access and detect suspicious activity;
• data encryption, as all data stored on the platform is encrypted, both when it’s being transferred, or in transit, and when it’s at rest, or stored on servers; and
• regular security testing, as the platform undergoes regular penetration testing and vulnerability scanning to identify and fix any weaknesses in its security.

It is a contractual requirement that personal data stored in the FDP and its associated services (FDP-AS), including the NHS-Privacy Enhancing Technology, cannot be accessed by the provider’s own personnel or contractors from outside the United Kingdom. The FDP-AS contract stipulates that all data must be held within the UK and is subject to UK Data Protection Law, including the UK General Data Protection Regulation.

All FDP data processes and systems need to comply with the Technology Code of Practice, Government Data Standards, the Department’s Guide to good practice for digital and data-driven health technologies, the Data Protection Act 2018, and the UK General Data Protection Regulation, the Information Commissioner's Office’s guidance, and associated regulations, standards, and guidance.

The contract was awarded in conformance with public sector procurement law, as required. The National Health Service ran an independent procurement exercise. The choice of preferred supplier was not made by a single person, as it was the result of assessment by many different individuals. NHS England has a duty to treat all suppliers the same regardless of the public perception of any organisation, or the opinions held by any of their shareholders.

NHS England cannot exclude any supplier that is lawfully established and able to bid from participating in the procurement. The procurement process received external validation from multiple Government departments, as well as independent evaluations by Infrastructure and Projects Authority reviewers. There were no identified security concerns in relation to the contract awarded for the NHS FDP.

The Procurement Act 2023 has introduced new powers to exclude and debar suppliers from public sector contracts if they pose a national security risk. Cabinet Office has established the new National Security Unit for Procurement, which is responsible for investigating suppliers on national security grounds, both within the Government supply chain and for the wider public sector.

Question to the Department of Health and Social Care:

To ask His Majesty's Government what assessment they have made of the use of artificial intelligence for note-taking in the NHS.

Answered by Baroness Merron - Parliamentary Under-Secretary (Department of Health and Social Care)

The Government is committed to supporting and enabling the safe, effective, and ethical deployment and adoption of new technologies for the National Health Service. Ambient voice technologies (AVTs) hold transformative potential for the health and care system as note-taking aides. Their adoption, when used safely and securely, is encouraged to improve both the quality of patient care and operational efficiency. NHS England has published guidance on how digital technologies should be approved for use in the NHS, covering key areas such as implementation, information governance, data, security, privacy, and controls. Additional national guidance has been published explaining how AVT solutions should be selected, deployed, and scaled. These standards are required for any AVT solution to be considered safe, effective, and eligible for NHS adoption.

There are strict safeguards in place throughout the NHS to protect data. All providers of services which handle patient data must protect that data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and every health organisation is required to appoint a Caldicott Guardian to advise on the protection of people’s health and care data, to ensure it is used properly. This includes where artificial intelligence (AI) is used in relation to patient records.

To mitigate the likelihood and severity of any potential harm to individuals arising from the use of data in AI, the Information Commissioners Office has developed detailed AI guidance which provides information on data protection, including Data Protection Impact Assessments and UK GDPR. It has also produced an AI toolkit to support organisations auditing compliance of their AI-based technologies. NHS bodies are expected to make use of this guidance and toolkit, including those using AVTs.

Question to the Department of Health and Social Care:

To ask His Majesty's Government whether they plan to develop artificial intelligence note-taking technology for the NHS to safely and securely store patient data.

Answered by Baroness Merron - Parliamentary Under-Secretary (Department of Health and Social Care)

The Government is committed to supporting and enabling the safe, effective, and ethical deployment and adoption of new technologies for the National Health Service. Ambient voice technologies (AVTs) hold transformative potential for the health and care system as note-taking aides. Their adoption, when used safely and securely, is encouraged to improve both the quality of patient care and operational efficiency. NHS England has published guidance on how digital technologies should be approved for use in the NHS, covering key areas such as implementation, information governance, data, security, privacy, and controls. Additional national guidance has been published explaining how AVT solutions should be selected, deployed, and scaled. These standards are required for any AVT solution to be considered safe, effective, and eligible for NHS adoption.

There are strict safeguards in place throughout the NHS to protect data. All providers of services which handle patient data must protect that data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and every health organisation is required to appoint a Caldicott Guardian to advise on the protection of people’s health and care data, to ensure it is used properly. This includes where artificial intelligence (AI) is used in relation to patient records.

To mitigate the likelihood and severity of any potential harm to individuals arising from the use of data in AI, the Information Commissioners Office has developed detailed AI guidance which provides information on data protection, including Data Protection Impact Assessments and UK GDPR. It has also produced an AI toolkit to support organisations auditing compliance of their AI-based technologies. NHS bodies are expected to make use of this guidance and toolkit, including those using AVTs.

Question to the Home Office:

To ask the Secretary of State for the Home Department, if she will (a) take steps to make identity theft a police-recordable crime and (b) make an assessment of the adequacy of support given to victims of identity theft.

Answered by Diana Johnson - Minister of State (Home Office)

The act of stealing personal information, and using it for criminal means and gains, is already outlawed. This includes through legislation such as the Fraud Act 2006, Computer Misuse Act 1990 and the Data Protection Act 2018.

The most effective way of preventing identity theft is to improve the safety and security of the identity systems we use and empower people to protect themselves from identity theft, particularly online.

We have introduced a checklist providing advice and steps on how to prevent the misuse of identities which can be found here:https://data.actionfraud.police.uk/cms/wp-content/uploads/2023/12/Identity-theft-victims-checklist.pdf

Further information about staying safe online and to avoid identity theft-enabled fraud can be found at: https://stopthinkfraud.campaign.gov.uk/

Question to the Department for Digital, Culture, Media & Sport:

To ask the Secretary of State for Culture, Media and Sport, how many permanent civil servants in her Department had their contract of employment terminated as a result of poor performance in the (a) 2022-23, (b) 2023-24 and (c) 2024-25 financial years.

Answered by Stephanie Peacock - Parliamentary Under Secretary of State (Department for Culture, Media and Sport)

From 1st April 2022 - 31st March 2025 there were seven dismissals. Of this total there were less than five poor performance dismissals that occurred between April 2023- March 2024.

We are unable to provide the precise number of poor performance dismissals because this would constitute a breach of the Data Protection Act, this is because the information relates to someone other than the data subjects and the risk of individuals becoming identifiable where case numbers are 5 or less.

Question to the Ministry of Defence:

To ask the Secretary of State for Defence, if he will place in the Library a list of the (a) titles, (b) file names and (c) dates of creation of each document held by the Atomic Weapons Establishment on the Merlin database.

Answered by Al Carns - Parliamentary Under-Secretary (Ministry of Defence) (Minister for Veterans)

Officials are working at pace to formally transfer the records on the Merlin database to The National Archives (TNA), whilst ensuring that sensitive information is protected in line with the Data Protection Act 2018 and national security requirements. Once transferred, the records will be listed and accessible on TNA’s website.

Question to the Department for Science, Innovation & Technology:

To ask the Secretary of State for Science, Innovation and Technology, if he will make an assessment of the potential merits of bringing forward legislative proposals to require employers to provide cyber security training, in the context of the recent cyber security incidents in the retail sector.

Answered by Feryal Clark - Parliamentary Under Secretary of State (Department for Science, Innovation and Technology)

The cyber security of the UK economy is a priority, which is why the government already offers free cyber security training via the National Cyber Security Centre website. This includes the “Top Tips for Staff”, an online, accessible cyber security training package for organisations of all sizes and sectors, and the new Cyber Governance Code of Practice, which includes a training package to help boards and directors manage digital risks in their organisations. More widely, the government offers a range of guidance to help organisations improve their cyber resilience and many of these products recommend staff training. Existing legislation - including the Security of Network & Information Systems Regulations (2018) and the Data Protection Act (2018) - includes recommendations for organisations in scope to provide appropriate training for their staff. This year we will introduce the Cyber Security and Resilience Bill to improve UK cyber defences and better secure our essential services and the IT infrastructure they rely upon. Later this year, the government will publish a new National Cyber Strategy setting out how we will approach the challenges and opportunities of cyber security.

Found: data 236 DVLA records can be disclosed for non-road traffic offences under schedule 2, Data Protection Act

Found: protection legislation”, “personal data” and “processing” have the same meanings as in the Data Protection Act

Found: protection legislation”, “personal data” and “processing” have the same meanings as in the Data Protection Act

Found: recovered or received for work done for other departments, freedom of information receipts, Data Protection Act

Found: recovered or received for work done for other departments, freedom of information receipts, Data Protection Act

Found: legislation). (3) In this section “the data protection legislation” has the same meaning as in the Data Protection Act

Found: (3) In this section “the data protection legislation” has the same meaning as in the Data Protection Act

Found: (9) In this section— “data protection legislation” has the same meaning as in the Data Protection Act

Found: following new Clause— “Exemption from UK GDPR: illegal migration and foreign criminals (1) The Data Protection Act

Found: ) 5 In subsection (3)(a) “the data protection legislation” has the same meaning as in the Data Protection Act

Found: following new Clause— “Exemption from UK GDPR: illegal migration and foreign criminals (1) The Data Protection Act

Found: notes that “the data protection legislation” under this Bill has the same definition as in the Data Protection Act

Found: ). 30(3) In this section “the data protection legislation” has the same meaning as in the Data Protection Act

Found: following new Clause— “Exemption from UK GDPR: illegal migration and foreign criminals (1) The Data Protection Act

Found: (2) In subsection (1), “the data protection legislation” has the same meaning as in the Data Protection Act

Found: with data protection legislation ( UK General Data Protection Regulation and Part 3 of the Data Protection Act

Found: (8) In this section— 15“the data protection legislation” has the same meaning as in the Data Protection Act

Found: General (8) In this section— “the data protection legislation” has the same meaning as in the Data Protection Act

Found: following new Clause— “Exemption from UK GDPR: illegal migration and foreign criminals (1) The Data Protection Act

Found: meaning as in section 104; “data protection legislation” has the same meaning as in the Data Protection Act

Found: meaning as in section 104; “data protection legislation” has the same meaning as in the Data Protection Act

Found: by these restrictions provided that the disclosure is compliant with Human Rights Act 1998, Data Protection Act

Found: following new Clause— “Exemption from UK GDPR: illegal migration and foreign criminals (1) The Data Protection Act

Found: section “the data protection legislation” and “processing” have the same meaning as in the Data Protection Act

Found: information in contravention of the data protection legislation within the meaning of the Data Protection Act

Found: (2) For the purposes of Article 6(1) of the UK GDPR, section 35 of the Data Protection Act 2018 (

Found: (2) For the purposes of Article 6(1) of the UK GDPR, section 35 of the Data Protection Act 2018 (“

Found: information in contravention of the data protection legislation within the meaning of the Data Protection Act

Found: information in contravention of the data protection legislation within the meaning of the Data Protection Act

Found: information in contravention of the data protection legislation within the meaning of the Data Protection Act

Found: (3) Paragraph 4 of Schedule 2 to the Data Protection Act 2018 shall not apply to personal data to

Found: (5)In subsection (4) “the data protection legislation” has the same meaning as in the Data Protection Act

Found: information in contravention of the data protection legislation within the meaning of the Data Protection Act

Found: section “the data protection legislation” and “processing” have the same meaning as in the Data Protection Act

Found: information in contravention of the data protection legislation within the meaning of the Data Protection Act

Found: information in contravention of the data protection legislation within the meaning of the Data Protection Act

Found: (3) Paragraph 4 of Schedule 2 to the Data Protection Act 2018 shall not apply to personal data to

Found: (3) Paragraph 4 of Schedule 2 to the Data Protection Act 2018 shall not apply to personal data to

Found: (7) In subsection (6), “the data protection legislation” has the same meaning as in the Data Protection Act

Found: under section 38A do not authorise the disclosure or use of information that contravenes the Data Protection Act

Found: (5)In subsection (4) “the data protection legislation” has the same meaning as in the Data Protection Act

Found: In this paragraph— 10 1 “the data protection legislation” has the same meaning as in the Data Protection Act

Found: (6) In this paragraph— 20“the data protection legislation” has the same meaning as in the Data Protection Act

Found: information in contravention of the data protection legislation within the meaning of the Data Protection Act

Found: section “the data protection legislation” and “processing” have the same meaning as in the Data Protection Act

Found: (2) For the purposes of Article 6(1) of the UK GDPR, section 35 of the Data Protection Act 2018 (“

Found: section “the data protection legislation” and “processing” have the same meaning as in the Data Protection Act

Found: (2) For the purposes of Article 6(1) of the UK GDPR, section 35 of the Data Protection Act 2018 (“

Found: (2) For the purposes of Article 6(1) of the UK GDPR, section 35 of the Data Protection Act 2018 (“

Found: (3) Paragraph 4 of Schedule 2 to the Data Protection Act 2018 shall not apply to personal data to

Modernising Employment APPG
Wednesday 11th June 2025

Found: addressed by other regulations, such as the UK General Data Protection Regulations (UK GDPR) and Data Protection Act

Found: All requests for information will be considered under the Data Protection Act. 

Found: The Planning Inspectorate is registered under the Data Protection Act, so that we may hold information

Found: database on contact details of land managers should be established within the constraints of the Data Protection Act

Found: special severance payments conflicting with a legal obligation arising as a result of the Data Protection Act

Found: The DUAA will not replace the UK General Data Protection Regulation (“UK GDPR”), Data Protection Act

Found: to third parties only in compliance with the UK General Data Protection Regulation and the Data Protection Act

Found: Office holds and uses data for purposes notified to the Information Commissioner under the Data Protection Act

Found: third parties only in compliance with the UK General Data Protection Regulation and the UK Data Protection Act

Found: over their personal data under the UK General Data Protection Regulation or UK GDPR and the Data Protection Act

Found: Follow legal guidance, such as the Data Protection Act and UK GDPR.

Found: Services Act 1994 43 The Counter-Terrorism Act 2008 44 The Human Rights Act 1998 44 The Data Protection Act

Found: personal data’ for the purposes of the Act is as defined in section 86(7)(a) to (e)of the Data Protection Act

Found: case is concluded. 32.1.4 Material supplied by the initial forensic unit is subject to the Data Protection Act

Found: to customer data, as well as destruction of data, in line with our obligations under the Data Protection Act

Found: to customer data, as well as destruction of data, in line with our obligations under the Data Protection Act

Found: and freedom of information (FOI) requests The Financial Ombudsman Service is covered by the Data Protection Act

Found: under the Freedom of Information Act 2000, Environmental Information Regulations 2004 or the Data Protection Act

Found: staff, and suppliers must protect the confidentiality of census data by law, including the: • Data Protection Act

Found: staff, and suppliers must protect the confidentiality of census data by law, including the: • Data Protection Act

Found: Section 8(d) of the Data Protection Act 2018 states that this will include processing of personal data

Found: be disclosed in accordance with UK legislation (the Freedom of Information Act 2000, the Data Protection Act

Found: to information regimes (these are primarily the Freedom of Information Act 2000 (FOIA), the Data Protection Act

Found: as set out in Articles 13 and 14 of UK General Data Protection Regulation (UK GDPR) and the Data Protection Act

Found: DfT is also committed to ensuring that its policies and practices comply with the Data Protection Act

Found: health is considered to be special category data under UK data protection law - UKGDPR and Data Protection Act

Found: their obligations under the UK General Data Protection Regulation (UK GDPR) and Part 3 of the Data Protection Act

Found: The Planning Inspectorate is registered under the Data Protection Act, so that we may hold information

Found: In this clause, "data protection legislation" has the same meaning as in the Data Protection Act 2018

Found: safeguarding regulations are complied with. 15.0 GDPR 15.1 TPs must comply with the UK General Data Protection Act

Found: commissions or agencies from time to time carrying out functions on its behalf;DPA 2018 means the Data Protection Act

Found: Recognition Act 2004 ................................ ................................ .... 11 Data Protection Act

Found: This authorisation covers acts under: • UK General Data Protection Act (UK GDPR) • Data Protection Act

Found: accordance with the CMA’s obligations under the UK General Data Protection Regulation and the Data Protection Act

Found: handle your report in confidence process any information relating to you in accordance with the Data Protection Act

Found: third parties only in compliance with the UK General Data Protection Regulation and the UK Data Protection Act

Found: to third parties only in compliance with the UK General Data Protection Regulation and the Data Protection Act

Found: to third parties only in compliance with the UK General Data Protection Regulation and the Data Protection Act

Found: the Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the Data Protection Act

Found: the Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the Data Protection Act

Found: protection: caseworker guidance This guidance tells HM Passport Office staff about the Data Protection Act

Found: case is concluded. 32.1.4 Material supplied by the initial forensic unit is subject to the Data Protection Act

Found: awarded this in August 2008.The UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act

Found: awarded this in August 2008.The UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act

Found: under the Freedom of Information Act 2000, Environmental Information Regulations 2004 or the Data Protection Act

Found: accordance with the CMA’s obligations under the UK General Data Protection Regulation and the Data Protection Act

Found: This legislation is the General Data Protection Regulation 2016 and the Data Protection Act 2018.

Found: Section 8(d) of the Data Protection Act 2018 states that this will include processing of personal data

Found: under the Freedom of Information Act 2000, or the UK General Data Protection Regulations/Data Protection Act

Found: DfT will process your personal data in accordance with the Data Protection Act (DPA) and in the majority

Found: DfT is also committed to ensuring that its policies and practices comply with the Data Protection Act

Found: In addition, the relevant principles of the Data Protection Act 2018 will apply to the police and law

Found: information in contravention of the data protection legislation within the meaning of the Data Protection Act

Found: that any scheme established will operate within devolved competence and be compatible with the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: telecommunications offs • Disclosure of information • Interception of Communications Act 1984 • Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: processes in place to support the individual’s right to access their own personal data under the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: All details are held in accordance with the Data Protection Act.

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: process your personal data in line with the UK General Data Protection Regulation 2018 and the Data Protection Act

Found: For Law Enforcement processing, Data Protection Act 2018, section 67.

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: Under UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) 2018, personal

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principes in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: The project team has complied with data protection regulations (GDPR and Data Protection Act 1998) with

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: prohibits, restricts access or relates to the disclosure of that information, for example the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation  and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: collected in accordance with the The UK General Data Protection Regulation (UKGDPR) and the Data Protection Act

Found: nciples in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: treated as a breach of this agreement 5.3 The Grantee shall ensure that all requirements of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: Article 5(1) of the General Data Protection Regulations (GDPR) and in Section 34(1) of the Data Protection Act

Found: protection and privacy legislation in force from time to time in the UK including: a) the Data Protection Act

Found: gathered, held, processed or to be shared requires a clear purpose and lawful basis under the Data Protection Act

Found: breaches arising from noncompliance with UK General Data Protection Regulation (UK GDPR) and the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regul ation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: to provide information facilitates a lawful basis for processing under section 8(c) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: individuals with regard to the processing of Personal Data to which a Party is subject including the Data Protection Act

Found: as a breach of this agreement 6.3 The Grantee shall ensure that all requirements of the Data Protection Act

Found: are the data subject, and so it is subject to the General Data Protection Regulation and the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: are collecting this data in the performance of a public task, under Article 6(1)(e) of the Data Protection Act

Found: are collecting this data in the performance of a public task, under Article 6(1)(e) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: Nations Convention of the Rights of Persons with Disabilities; Education (Scotland) Act 2016; Data Protection Act

Found: Article 5(1) of the General Data Protection Regulations (GDPR) and in Section 34(1) of the Data Protection Act

Found: information given to us about you and your complaint for its intended purpose and in line with Data Protection Act

Found: For compliance with the Data Protection Act 1998, personal information such as people’s telephone numbers

Found: ; and also to view the decision on the appeal once it has been made.For compliance with the Data Protection Act

Found: party and disclosing it would contravene the data protection principles in Schedule 1 to the Data Protection Act

Found: contravene the data protection principles in Article 5(1) of the UK GDPR (or section 34(1) of the Data Protection Act

Found: Article 5(1) of the General Data Protection Regulations (GDPR) and in Section 34(1) of the Data Protection Act

Found: Article 5(1) of the General Data Protection Regulations (GDPR) and in Section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: Article 5(1) of the General Data Protection Regulations (GDPR) and in Section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: of Information (Scotland) Act 2002 (FOISA), the UK General Data Protection Regulation, the Data Protection Act

Found: organisation a public authority or body as set out in Part 2, Chapter 2, section 7 of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: Article 5(1) of the General Data Protection Regulations (GDPR) and in Section 34(1) of the Data Protection Act

Found: Article 5(1) of the General Data Protection Regulations (GDPR) and in Section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: protection principles in the UK General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: Computer Misuse Act 1990, the Network and Information Systems Regulations 2018, the UK GDPR or the Data Protection Act

Found: individuals with regard to the processing of Personal Data to which a Party is subject including the Data Protection Act

Found: the Trade Union and Labour Relations (Consolidation) Act 1992, or commit any breach of the Data Protection Act

Found: individuals with regard to the processing of Personal Data to which a Party is subject including the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: individuals with regard to the processing of Personal Data to which a Party is subject including the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: individuals with regard to the processing of Personal Data to which a Party is subject including the Data Protection Act

Found: individuals with regard to the processing of Personal Data to which a Party is subject including the Data Protection Act

Found: Computer Misuse Act 1990, the Network and Information Systems Regulations 2018, the UK GDPR or the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: Date of Birth D.O.D Date of Death DPA Data Protection Act 2018 DPIA Data Protection Impact Assessment

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: You will duly observe your obligations under the Data Protection Act 2018 and the General Data Protection

Found: and in particular the principles of the General Data Protection Regulation (GDPR) and the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Found: principles in Article 5(1) of the General Data Protection Regulation and in section 34(1) of the Data Protection Act

Question

To ask the Scottish Government whether it has plans to make the Scottish Kept Birds Register publicly searchable, and, if not, for what reason. 

Answered by Fairlie, Jim - Minister for Agriculture and Connectivity

The Scottish Government has no plans to make the Scottish Kept Birds Register publicly searchable.

The Scottish Kept Bird Register is a mandatory register for bird keepers in Scotland under the Avian Influenza (Preventive Measures) (Scotland) Amendment Order 2024. It was established to allow Scottish Government and its deliver body, the Animal and Plant Health Agency, to send vital biosecurity information to bird keepers to minimise the risk of the spread of notifiable avian diseases, particularly highly pathogenic avian influenza. The register also supports mandatory surveillance activities during disease outbreaks. The information has also been used to help support public health response in the offer of vaccinations to poultry keepers.

In accordance with Data Protection Act 2018 a commitment was made to those registering, in the Scottish Kept Bird Register Privacy Notice, as to how the data collected would be used. This can be summarised as to determine the size and location of the kept bird population in Scotland, for communication and disease control activities during notifiable avian disease outbreaks, and for promoting bird welfare and public health.

To make this data public would be in breach of the Data Protection Act of 2018, as the Scottish Government would be unable to control the uses to which the data was being put. The Scottish Government is legally required to make arrangements to ensure that the data collected is retained securely and protected from data breach. This is in common with registers for other animals and livestock across Scotland held by Scottish Government.

Found: SWYDDFA’R ARWEINYDD LEADER'S OFFICE Your information is processed under the Data Protection Act 2018

Found: ending on 31 August, ( ) “data protection legislation” has the same meaning as in the Data Protection Act

Found: ending on 31 August, ( ) “data protection legislation” has the same meaning as in the Data Protection Act

Found: share information in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act

Found: (3) In this section “data protection legislation” has the same meaning as in the Data Protection Act

Found: (3) In this section “data protection legislation” has the same meaning as in the Data Protection Act

Found: provisions are compliant with the data protection principles enshrined in the UK GDPR and the Data Protection Act

Found: provisions are compliant with the data protection principles enshrined in the UK GDPR and the Data Protection Act

Found: sharing, it is intended that the Commission will be a public authority for the purposes of the Data Protection Act

Found: sharing, it is intended that the Commission will be a public authority for the purposes of the Data Protection Act

Found: duty into account) contravene the data protection legislation within the meaning of the Data Protection Act

Found: the duty into account) contravene the data protection legislation (within the meaning of the Data Protection Act

Found: the duty into account) contravene the data protection legislation (within the meaning of the Data Protection Act

Found: the duty into account) contravene the data protection legislation (within the meaning of the Data Protection Act

Found: duty into account) contravene the data protection legislation within the meaning of the Data Protection Act

Found: duty into account) contravene the data protection legislation within the meaning of the Data Protection Act

Found: ending on 31 August, ( ) “data protection legislation” has the same meaning as in the Data Protection Act

Found: ending on 31 August, ( ) “data protection legislation” has the same meaning as in the Data Protection Act

Found: used in line with the requirements of the UK General Data Protection Regulation (UKGDPR), the Data Protection Act

Found: provided by UK legislation set out in the General Data Protection Regulation (GDPR) and the Data Protection Act

Found: This code must be consistent with the data sharing code prepared and issued under the Data Protection Act

Found: exemption to the Information Commissioner’s assessment notices powers under section 147(6) of the Data Protection Act

Found: Bill, clause 41 Interview Notices (clause 38 as introduced) inserts new provisions into the Data Protection Act

Found: Response: Clause 41 Interview Notices (clause 38 as introduced) inserts new provisions into the Data Protection Act

Found: The GDPR works in tandem with the UK’s Data Protection Act 2018 (the DPA 2018) to govern the processing

Found: currently in place across the EU and the UK (the General Data Protection Regulation (GDPR) and the Data Protection Act

Found: The UK’s Data Protection Act (DPA) 2018 received Royal Assent around the same time, and both pieces

Found: interacts with a wide range of other key legislation: • Births and Deaths Registration Act 1953 • Data Protection Act

Found: been included after clause 88 (Data protection), which seeks to give assurances that the Data Protection Act

Found: UK Government amendments 65 and 66 remove a cross reference to s183A of the Data Protection Act 2018

Found: Economy Act 2017 (c. 30), and was amended by paragraph 135(4) and (5) of Schedule 19(1) to the Data Protection Act

Found: legislation. 10 (3) In this section, “data protection legislation” has the same meaning as in the Data Protection Act

Found: (3) In this section, “data protection legislation” has the same meaning as in the Data Protection Act

Found: sharing, it is intended that the Commission will be a public authority for the purposes of the Data Protection Act

Found: the duty into account) contravene the data protection legislation (within the meaning of the Data Protection Act

Found: the duty into account) contravene the data protection legislation (within the meaning of the Data Protection Act

Found: the duty into account) contravene the data protection legislation (within the meaning of the Data Protection Act

Found: duty into account) contravene the data protection legislation 20 (within the meaning of the Data Protection Act

Found: (3) In this section, “data pr otection legislation” has the same meaning as in the Data Protection Act

Found: legislation. 10 (3) In this section, “data protection legislation” has the same meaning as in the Data Protection Act

Found: (3) In this section, “data protection legislation” has the same meaning as in the Data Protection Act

Found: Data was supplied via postcodes and handled in accordance with the 1998 Data Protection Act with special

Found: personal data underlying these statistics are processed in accordance with the requirements of the Data Protection Act

Found: Section 8 of the Data Protection Act 2018 (“the 2018 Act”) supplements Article 6(1) of the UK GDPR by

Found: Information Act 2000 (the “FOIA”), the Environmental Information Regulations 2004 (the “EIR”), the Data Protection Act

Found: Information Act 2000 (the “FOIA”), the Environmental Information Regulations 2004 (the “EIR”), the Data Protection Act

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 2018 (‘the DPA 2018’)

Found: Act 2010 4.2 Gender Recognition Act 2004 4.3 UK General Data Protection Regulation and Data Protection Act

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 1998 (‘the DPA 2018’)

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 2018 (‘the DPA 2018’)

Found: data protection principles, or (b) would do so if the exemptions in section 24(1) of the Data Protection Act

Found: dictated by data protection regulations; General Data Protection Regulations UK (UK GDPR) and Data Protection Act

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 2018 (‘the DPA 2018’)

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 2018 (‘the DPA 2018’)

Found: personal data underlying these statistics are processed in accordance with the requirements of the Data Protection Act

Found: Education Act 1996 and that their processing of personal data is in line with UK GDPR and the Data Protection Act

Found: in accordance with the obligations and duties under the Freedom of Information Act 2000, the Data Protection Act

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 2018 (‘the DPA 2018’)

Found: protection legislation, such as the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act

Found: However, under the Data Protection Act 1998, the addresses and other contact information of private

Found: Organisation (if applicable) Date You must keep a copy of your completed form Data Protection Act

Found: this Contract in respect of which such Party is liable to the other; DPA 2018 means the Data Protection Act

Found: other duties, including its duties under the General Data Protection Regulations 2018, the Data Protection Act

Found: Information Act 2000 (the “FOIA”), the Environmental Information Regulations 2004 (the “EIR”), the Data Protection Act

Found: Information Act 2000 (the “FOIA”), the Environmental Information Regulations 2004 (the “EIR”), the Data Protection Act

Found: personal data underlying these statistics are processed in accordance with the requirements of the Data Protection Act

Found: Information Regulations 2004 (the “EIR”) the General Data Protection Regulation (GDPR) and Data Protection Act

Found: their legal obligations, namely the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act

Found: Under the UK GDPR, Data Protection Act 2018 and the Freedom of Information Act 2000 the contents of

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 2018 (‘the DPA 2018’)

Found: personal data underlying these statistics are processed in accordance with the requirements of the Data Protection Act

Found: will process personal data, or require another organisation to do so, must comply with the Data Protection Act

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 1998 (‘the DPA 2018’)

Found: have a legal requirement: • to adhere to the General Data Protection Regulation (GDPR), Data Protection Act

Found: personal data underlying these statistics are processed in accordance with the requirements of the Data Protection Act

Found: personal data underlying these statistics are processed in accordance with the requirements of the Data Protection Act

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 1998 (‘the DPA 2018’)

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 1998 (‘the DPA 2018’)

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 2018 (‘the DPA 2018’)

Found: obligations under the Freedom of Information Act 2000, the Environmental information Act 2004, Data Protection Act

Found: great importance on protecting people’s privacy and their data in full compliance with the Data Protection Act

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 1998 (‘the DPA 2018’)

Found: are presented impartially and objectively and are in accordance with the requirements of the Data Protection Act

Found: In our view the requirements of section 10 of and paragraph 1 of Schedule 1 to the Data Protection Act

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 2018 (‘the DPA 2018’)

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 2018 (‘the DPA 2018’)

Found: personal data underlying these statistics are processed in accordance with the requirements of the Data Protection Act

Found: obligations under the Freedom of Information Act 2000, the Environmental information Act 2004, Data Protection Act

Found: personal data underlying these statistics are processed in accordance with the requirements of the Data Protection Act

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 2018 (‘the DPA 2018’)

Found: personal data underlying these statistics are processed in accordance with the requirements of the Data Protection Act

Found: The information you provide will be handled in accordance with the UK Data Protection Act 1998, which

Found: obligations under the Freedom of Information Act 2000, the Environmental Information Act 2004 or the Data Protection Act

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 1998 (‘the DPA 2018’)

Found: The present study complied with the 2018 Data Protection Act, which allows sensitive study data to be

Found: personal data underlying these statistics are processed in accordance with the requirements of the Data Protection Act

Found: in accordance with the obligations and duties under the Freedom of Information Act 2000, the Data Protection Act

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 1998 (‘the DPA 2018’)

Found: in accordance with the obligations and duties under the Freedom of Information Act 2000, the Data Protection Act

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 2018 (‘the DPA 2018’)

Found: obligations under the Freedom of Information Act 2000, the Environmental information Act 2004 or the Data Protection Act

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 2018 (‘the DPA 2018’)

Found: personal data underlying these statistics are processed in accordance with the requirements of the Data Protection Act

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 2018 (‘the DPA 2018’)

Found: Information Act 2000 (the “FOIA”), the Environmental Information Regulations 2004 (the “EIR”), the Data Protection Act

Found: accordance with its obligations and duties under the: • Freedom of Information Act 2000 • The Data Protection Act

Found: Information Act 2000 (the “FOIA”), the Environmental Information Regulations 2004 (the “EIR”), the Data Protection Act

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 1998 (‘the DPA 2018’)

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 2018 (‘the DPA 2018’)

Found: It is a requirement under Article 26 of Data Protection Act 2018 and is quite commonly used in Central

Found: personal data underlying these statistics are processed in accordance with the requirements of the Data Protection Act

Found: ‘Personal data’ is defined in sections 3(2) and (3) of the Data Protection Act 1998 (‘the DPA 2018’)

Found: personal data underlying these statistics are processed in accordance with the requirements of the Data Protection Act

Question

What Welsh Government guidance is provided to GP practices regarding charging patients for accessing their medical records?

Answered by Cabinet Secretary for Health and Social Care

The General Data Protection Regulations and the Data Protection Act 2018 were made by the UK government and apply to the four nations of the UK. GP practices cannot charge patients for reasonable access to their medical record. Guidance for GPs has been issued by the BMA to help practices in understanding their statutory obligations. bma-access-to-health-records-nov-19.pdf

Question

What is the average time taken to respond to FOI requests, broke down by department, over each of the last three years?

Answered by First Minister

The information for the calendar years 2021, 2022 and 2023 are provided in the tables below. Please note:

The statistics relate to the handling of requests for recorded information under the Freedom of Information Act 2000 (FOIA), the Environmental Information Regulations 2004 (EIRs) and the Data Protection Act 2018 (DPA2018) / UK General Data Protection Regulation (UK GDPR).

The FOIA and EIRs both require public bodies to normally respond to written requests for information within 20 working days of receipt, with limited exceptions. The FOIA allows for a reasonable extension to the 20 working day deadline when considering a public interest tested exemption and the EIRs allow for an extension of a maximum of a further 20 working days if the request is complex and voluminous.  This means that some requests that took over 20 working days to respond would still have been responded to within the statutory deadline.

Requests Received in 2021:

Note: *These requests did not fall under any specific group area and were dealt with centrally by the Information Rights Unit.

Requests Received in 2022: (Note there was an organisational change in April 2022):

Note: *These requests did not fall under any specific group area and were dealt with centrally by the Information Rights Unit.

Requests Received in 2023:

Question

Will the Minister detail operating costs, including rent, utilities, staffing and expenses, for each of the Welsh Government’s offices abroad during this current Senedd term to date?

Answered by Minister for Finance and Trefnydd

Information on the running costs for each international office can be found within the State of the Estate report at the following link https://gov.wales/state-estate-report-2018-to-2019.

Data protection legislation requires us to protect personal information being held in relation to individual members of staff, and others, and to ensure that it is only used for the purposes for which it was collected. As there are a small number of staff in each of the offices, disclosure of the total staff costs for each office is likely to allow the actual salaries of each individual to be identified. We believe that releasing this information would be in breach of the Data Protection Act.

The figures in the State of the Estate report does not cover the whole of the Senedd term. Therefore, I will write to you shortly with the figures for 2019/20, once the information has been collated. The figures for 2020/21 are not yet available.

Substantive response

Found: protects people against discrimination and supports equal employment opportunities; ƒ The Data Protection Act

Found: Article 6(1)(e) of the General Data Protection Regulation read together with section 8(d) of the Data Protection Act

Found: 6(1)(e) of the General Data Protection Regulation read together with section 8(d) of the Data Protection Act

Found: Other significant amendments seek to include references to the Data Protection Act 2018.

Found: establish a new data protection regime for non-law enforcement data processing, replacing the Data Protection Act

Found: ruling in relation to the drafting of information sharing provisions and the application of the Data Protection Act